The Last Line of Defense: Making Irrelevant the Damage from Ransomware

SSProtect maintains data integrity, confidentiality, and availability even when directly exposed to Ransomware. Our solution provides precise insight into affected data components and owners so you can prove to partners and customers that their information retained full protection.

For those unfamiliar with Ransomware proceedings, it starts sometime after you step away from your computer, and ends with the Desktop Wallpaper you come back to discover. This usually includes a message indicating that your files have been encrypted, along with instructions on how to purchase a decryption key. This is accompanied by a schedule of increasing costs over time, and culminates in a deadline at which point all data will be destroyed.

So what is one to do? Some will have you believe the best path is to make sure you have access to a Bitcoin wallet and gain familiarity with how to execute this transaction, to be sure you're not delayed and can meet the deadline. We find this a bit like preparing for a walk through the rough part of town by visiting an ATM to make sure you have plenty of cash on-hand to please the guy that mugs you. We're going to pass on that - and with what we have to say in this article, we're confident that you'll choose to do the same as well.

General Nature of Stopping RansomwareThere are many different ways to go about trying to stop Ransomware, and any attempt to list them all would turn into a book on security technologies. To date, few have had much success. The dynamic at play isn't much different from that which has been most prevalent for more than a decade - the cat and mouse game of providing updated protections that attackers then learn how to beat. Back and forth we go, which benefits the attackers who make constant and consistent improvements to their technologies. This leaves the rest of the world hoping someone else gets hit first, offering a view into the updated threat that allows vendors to release adjustments. That isn't going to do much for the community's collective security problems, though some would have you believe that security vendors don't mind charging for ongoing updates in response.

Layered Protections Using Recent InnovationThere are, however, a few companies that have developed new ways of monitoring and defending against these types of attacks, and they offer non-intrusive methods for greatly enhancing the protective posture of the systems to which they are deployed. Some of this comes from new developments in Artificial Intelligence and Neural Networks, and others are as a result of more appropriate application of data mining and operational heuristics. We strongly recommend these solutions as a part of designing complete protections for any environment.

But in reality, these will break down at least some of the time. Though the track record may be very good, it's not perfect - can't be, nothing is. Eventually, someone is going to break through or take advantage of someone asleep at the wheel. This is where another layer of protection comes into play - protection of the data, at the source. This is where DefiniSec offers innovation beyond what's been available in the past.

Tackling a Ransomware Attack Head-OnThough Ransomware may be one of the world's biggest security problems right now - and will probably hold that distinction for some time - it's not based on a particularly complicated set of threat vectors. A lot of breaches happen with attackers defeating misconfigured systems. When a corporate IT department manages thousands if not tens of thousands of hosts, it's not impossible to find a problem in the network at any given point in time. Persistent Ransomware attackers are adept at finding these weak links and taking advantage of them. And because SSProtect was developed to address the most advanced attacks being carried out, applying the solution to a Ransomware dynamic realizes highly effective results.

Let's go through it in pieces.

Traditional Challenges in Surviving a Ransomware AttackIf you want to survive a direct hit from Ransomware, you're going to need a few things:1. You need to have backups, of important information, and they have to be up-to-date the moment the attack takes place.2. You need to be sure that unauthorized changes don't affect your backup copies. This means changes must be authenticated before they are stored.3. You also have to make sure the restoration process is simple, efficient, and reliable. Else, the backup won't matter much in the first place.

Restoration GapsTraditional data protection solutions backup data in batch operations - once a month, once a week, once a day. This means a Ransomware attack ends up overwriting data that hasn't yet been properly stored. This means there are always losses associated with ignoring the ransom payment. How extensive these losses are has depends on the nature of the work you're engaging in, the value of that work, and whether or not it can be easily replicated or not.

So how do you create a system that keeps consistent backups at all times? You bake it into the nature of making changes to the data in the first place. Any other approach is error-prone, and susceptible to a number of additional attacks that can be used ahead of the actual Ransomware breach. We haven't seen much of that yet, but this is where these dynamics will take us when more people get positioned to stop paying the ransom.

SSProtect achieves this with :Recover, which builds data backups directly into your use of the data. When applied, the information is backed up even before your changes are finalized on your local host. This insures that information remains reliably matched to your intent. And because of the nature of data use and the way in which this information gets stored, the performance impact is, for the most common workflow scenarios, nearly negligible.

Integrity of Backup DataA simple, "dumb" backup that copies source data to backup systems, in batches, doesn't have any concept of data content. This means we can overwrite the data with garbage and backup systems will replace backed copies with the updated garbage. This is catastrophic when you turn to restored copies only to find that they, too, have been compromised.

SSProtect requires (optionally two-factor) authentication to save changes to managed content. This insures that more advanced attackers can't breach the system, make changes, then execute the Ransomware application(s). The software also stores the data in a cloud repository that does not present removal capabilities. This means it's impossible to delete information from backup systems unless those systems are specifically breached. This offers the greatest degree of protection available from maturing Ransomware solutions designed to search out backups and destroy them while encrypting content - that can't happen with SSProtect'ed systems. Also don't underestimate the advantages of storing data in isolated systems managed by a different team decoupled from the host network that is, technically, compromised - backups live in and retain integrity in a very closely guarded set of resources that hold minimal risk of being disturbed.

Cost Impact of RestorationRestoring data takes time, and involves a process independent from normal day to day operations. It's possible to build a customized procedure with IT and teams that use sensitive content in attempts to streamline the act of restoring data when it's compromised, but it takes time to engineer that solution, test the procedures, train personnel, and invest in the additional systems required to carry out these proceedings.

SSProtect, though not at all specifically designed for Ransomware, offers a one-touch Recovery option that allows you to replace all protected content with the latest securely stored version. The software also allows you to restore individual versions of files - from the latest stored version of a file to a version stored months if not years ago (we routinely access content we stored several weeks after entering production, to this day). Despite the ease with which these facilities are carried out, we are also working on ways to automate this procedure and, of course, when working with partners and technologies that manage Ransomware at different levels, we can then offer up the full potential of an automated solution. We should have more to say about this as we get into 2017. Note that anyone hit by an attack will also require assistance to cleanse their machine of the threat and insure they are operating within the requirements of the Organization. This too takes time, though is presently outside the scope of the protection SSProtect applies. This is again another opportunity for us to work with customers and partners to create more efficient ways to recover.

Effectiveness of Disabled SystemsWhat happens if protective systems are disabled or otherwise sabotaged? Almost all are ineffective in retaining protections. SSProtect's design provides assurances against such dynamics because information is not accessible when the system is not present. This means sabotage of offline data gets immediately restored upon discovery, and the independently stored and managed backups remain unaffected. This helps protect for future instances when attack dynamics grow to include system sabotage in preparation for ransomware encryption, making sure you don't fall prey to future threats.

Third-Party Impact from RansomwareOne aspect seldom discussed is the impact to third parties. If your company has an agreement that requires you to disclose unauthorized access of sensitive content - and this is standard in most non-disclosure terms - then that information has to be collected and scoped. How does IT figure out what components of a target's machine affect different third-parties - and to what extent?

SSProtect retains a log of all data access that we are extending for these dynamics. This will make it very easy for operators to identify third-party data and contact them with absolute specifics on what was attacked - and how the threat was mitigated. For unprotected data in other systems, it's wide-open and available to the attacker, now the potential source of a breach that has to be disclosed to customers and partners, and their customers and partners. This impacts your company's ability to do business with others, and affects reputation. By using SSProtect, today you have an immediate audit of restored content and, with shared secured content, have all the information required to make precise deductions about data owners and the scope of impact as it overlaps their concern. By contacting them and noting that xyz files were impacted but restored without any disclosure, they retain confidence that allows them to keep from making an announcement, as some requirements stipulate that any concern of disclosure requires notification. Without SSProtect, this would be exceptionally difficult, time-consuming, and costly.

In SummarySSProtect provides the last line of defense for Ransomware, capable of sustaining a direct hit and replacing all protected content with up-to-date and valid instances of your data. Our next release, due out at the start of next year, will include unique auditing capabilities that tell you exactly what was sabotaged and what was not, in conjunction with data ownership information, allowing you to submit reports to concerned partners and customers showing exactly how you managed the threat while insuring that data wasn't disclosed or lost.

Ransomware is here to stay, and as organization become more prepared to avoid paying the ransom, attack dynamics will change. By incorporating a reliable system with data integrity assurances and precision auditing, you will always remain a step ahead of what attackers can, and most likely will, bring to future dynamics.